Cyber Flag exercise focuses on building partnerships

More than 650 cyber professionals from across the DefenseDepartment, other federal agencies and partner nations worked together at theJoint Staff's facility in Suffolk, Virginia, as part of Cyber Flag 19-1, aweeklong cyber exercise designed to enhance readiness for cyberattacks and tobuild partnerships among those who would be called upon during a real-worldevent to keep malicious actors out of critical cyber infrastructure.

Twenty teams – including some that were multinational ormultiagency – worked individually June 21-28 to thwart malicious attacks andintrusions on an Industrial Control Systems/Supervisory Control and DataAcquisition network built specifically for the exercise to simulate one thatmight be used by a U.S.-based port facility.

"Cyber Flag 19-1 focuses on tactical, on-keyboarddefense against a live adversary," said Coast Guard Rear Adm. John Mauger,U.S. Cyber Command's director of exercises and training. "The exercise isset up to increase the readiness of the cyber mission force and deepenpartnerships and increase the readiness of allies and interagency participantsthat are involved in the exercise."

All five members of the "Five Eyes" intelligencealliance – which includes the United States, the United Kingdom, Australia, NewZealand and Canada ­– participated in Cyber Flag. Interagency partners includedthe Department of Homeland Security, the FBI and the Department of Energy.Cyber professionals from the House of Representatives and the U.S. PostalService also participated.

To ensure a greater understanding across participatingagencies and nations, some of the teams were mixed. Army Cyber Command workedwith the Texas National Guard, the Marine Corps worked with the United Kingdom,the Georgia National Guard was paired with Canada, and the PennsylvaniaNational Guard worked with the Georgia National Guard.

"We have more than half the entirety of the teams herewith an outside person who doesn't belong intrinsically to theirorganization," said Capt. Shae Luhowy of the Canadian air force. "Theteams jumped on it. We encouraged it, and we got an overwhelmingly positiveresponse for this exact reason. The teams are very happy to be able to pick up someideas and learn from the other teams they may be sharing with."

Mauger said this was the first time that the PersistentCyber Training Environment was used to prepare participants for Cyber Flag.Cybercom and the Army are developing it to enable collective training. The PCTEallows cyber professionals "to recreate a bit of what we have done here,but recreate it on a frequent basis to get the sets and reps and do this at thetraining scale that we really need to further hone our warfighting capability,"he explained.

Also for the first time this year, the exercise planner forCyber Flag 19-1 is not an American. Luhowy has worked full-time with Cybercomsince August, and he said he's been planning Cyber Flag since he came on board.

Marine Corps Chief Warrant Officer 3 Chris Wild watched overthe combined Marine Corps-U.K. team.

"This is the first time in one of these exercises we'veintentionally merged two of the teams," he said. "We've had onsies,twosies, straphangers before. But this is the first time, where in thisscenario we attached our Marine Corps cyber protection team element to the U.K.forces."

The two teams mesh in some places, and of course, they clashin others, he said. "When it comes to the guys down at the tactical edge,our host subject matter experts – who may focus on Linux, or Windows ordatabases – were able to easily spot the same skill sets on the other side andcreated a fusion cell to work towards that." Analyzing network traffic isthe same, he said.

But the Brits and the Marines do some things differentlythat need to be ironed out -– and Wild was there to smooth out the wrinkles."The U.K. writes orders different than we do," he said. "Theyhave different meanings for some of the tactical tasks than we do. And theyalso spell things a bit differently too. We found the best way to do that isget on a table together and put it on the big screen and go through it."

Army Capt. Jesse Nangauta, a battalion senior intelligenceofficer with Army Cyber Command's 1st Information Operations Command, was the"red team" leader in charge of the 100 cyber professionals playingthe adversarial role.

"We refined the plan based on the overall design of therange and what that network environment looks like, and really refined it inthe last two months or month prior to the execution of the exercise," hesaid. "We really go in and test and rehearse."

The red team provided a contested environment for theexercise's cyber protection teams. "We are essentially trying to maneuveron the network, or conduct malicious activity on the network, like picking upthe targets and moving them across the network and leaving indicators relatedto those targets," Nangauta said. "We also provide feedback to thecyber protection teams as to whether they properly identified us ... orappropriately conducted the defense measures to prevent us from continuing tomaneuver with that malicious activity."

Most of the teams did surprisingly well at defeating histeam's network aggression, Nangauta said, adding that based on what he saw atCyber Flag 19-1, he's not concerned for the future.

"I would absolutely state I am very impressed with ourabilities to adapt to meet the current threats that currently exist," hesaid. "We are doing all the right things when it comes to training."

To sufficiently challenge the teams in a way that preparesthem for the pressures and the demands they'll face in the real world, Maugersaid, Cybercom worked with the Pacific Northwest National Lab and the SandiaNational Lab to build a complex ICS/SCADA network so that the teams couldoperate in a realistic environment against the red team adversary.

But the partnering was just as realistic, and that was thetop priority during Cyber Flag 19-1, the admiral said.

"Our allies and partners are a key strategicwarfighting advantage for the U.S.," he said. "When we go intocombat, we do so with a whole host of support and capability and commitmentfrom other nations. And that makes us unique, especially when contrastedagainst some of our key adversaries at this time."

"The depth of integration between our U.S. teams andour allied teams is something we just haven't seen before in this exerciseenvironment," he continued. "I am confident that through the workthat has been done in this exercise to integrate teams and have them work asone and fight together, that we will present an imposing force for ouradversary in this space."

Source: US Army